Banazîr the Jedi Hobbit (banazir) wrote,
Banazîr the Jedi Hobbit

  • Mood:
  • Music:

Frienditto: privacy and security, verification, and open source

For those who came in late (as I did): Thanks to tv_elf for this public service announcement about the frienditto service and the potential privacy hazard. I was busy fixing computer problems with zengeneral's help yesterday and today, and just learned of this service.

Summary and request

Edited, 11:30 and 15:00 CST: I didn't quite grasp the concept of the service originally, but after reading an explanation by deire, I think I've got it now. If there are still any errors in my understanding, please feel free to correct me.

To summarize, if you've been out of the loop as I have: the Frienditto archive can save locked posts from your friends page if you register on it using your password. The idea, as I understand it, is to provide the same kind of complete archival you can get for your own posts using ljArchive or web spider software such as Teleport Pro or wget. The price you pay for this "convenience" is, of course, that the maintainers of the service, with whom you have just trusted your password, then have your full privileges. They are theoretically able to:

  • 1. archive and redistribute your own posts (as if they were running ljArchive as you)

  • 2. amplify the privileges of other users by granting access to locked posts from your friends pages, archived or "live" on LJ, without the authorization of the original poster

  • 3. perform malignant actions such as spoofing your identity, locking you out of your own LJ, etc.

Thus, it poses an intellectual property (IP) and privacy risk to you and your friends if any of you use any your friends filters in custom locks. It also poses a security and limited identity theft risk.

If you are on my friends list and currently use this service, please read tv_elf's PSA and refrain from using the service. As my LJ is a public one, my concern is only for any LJ friends who do use filters to lock posts. I have no concerns for my own part about who among my friends may have registered, but that's just this LiveJournal; I've also got tanelos, my GreatestJournal, etc.

For the record, I've never used the service, and never even heard of it until yesterday, so there is no leak through this channel if I am on your friends list.

Devil's advocacy, or trust no one
Why the smart cookie assumes anything posted to the Internet can be stolen

Information security is about formulating and maintaining one's own models of trust. This includes trusting that software does what the author claims it will do, and only what he or she says it will do. All of you who have studied IT security know this, but it apparently isn't common sense outside the field; hence this little didactic digression.

It is really a good idea to suppose that nothing you post to a service such as LiveJournal will necessarily remain private. Passwords can be stolen in many ways (some involving mundane social engineering, some indirect automated attacks, and some brute force repetitive or random attacks). Trust can be deliberately violated when people repost things in a fit of pique. Finally, more often than not, information leaks when people inadvertently say or write too much.

As this sarcastic and somewhat pugilistic post by hep underscores, the probable channel of information leaks is not some service of dubious trustworthiness, but people who might actually have some interest in your friends-only posts. The privacy risks of blogging, real and perceived, are the responsibility of the individual, generally speaking. Hence the a growing social dichotomy between bloggers and non-bloggers, and the recent corporate crackdown on blogs (reported by CNN on 15 Feb 2005) due to professional blogs containing sensitive personal information, and vice versa.

As other friends have written: I have few concerns herein because the people on my friends list are by and large those I have deemed trustworthy to begin with, but you will also note that I never post anything in my LJ (or even my GJ, for that matter) that I wouldn't be prepared to defend in court. Just a crumb for thought.

Apology for software verification and formal methods in security

FWIW, I believe ljArchive, a software archival utility for LiveJournals, to be a better (and safer) way to save your journal. First and foremost, this rather underscores a point phawkwood once made, which I don't always heed when it comes to general functionality but strongly agree with when it comes to security:
In general, it is better to use software than online services, because you have control over the server environment.1

As a general rule, you should fully trust only software for which you have been able to verify its function and behavior. This is, of course, infeasible in many situations, but:

  • 1. Someone you trust can do it for you and certify the code, or give you a certificate that you can check (more easily than analyzing the code in question).

  • 2. It is good to know you have the option, and this is one marked advantage of open source: if you have all of the code, and a computable specification that it meets, you can verify it, given the computational resources and inclination.

No, Anindya and the Bandera folks2 didn't pay me to say this. But seriously, this is just one reason verification and proof-carrying code are important. So, if you are a fellow Microsoft user, think about it the next time Internet Explorer asks whether you always want to trust certificates from X company.

1 To an extent, this is why I run my own web, mail, and Wiki servers whenever possible.
2 Does anyone else think of Smokey and the Bandit when they read this, or is it just the fact that it's almost 06:00 and I just got through watching Miyazawa's Spirited Away?


  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.